Hash: SHA1

Response Team Boosts Open Source Security

,----[ Quote ]
| All in all, oCERT sounds like a worthwhile project that will provide a
| valuable service to the community of open source vendors and customers. Let's
| hope it wins enough support to sustain itself for the long run. (That name
| might be a problem, for starters -- CERT is a trademark of Carnegie Mellon
| University.)


Pondering when your next break-in will happen

,----[ Quote ]
| I mean how much trust can you have in say, Microsoft, which has, nine
| count 'em nine "high risk" vulnerabilities. Three of those have been on the
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| list for more than a year, and one is closing in on its second birthday.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^|
| In all fairness, Microsoft isn't the only bad egg. Computer Associates, IBM,
| Novell and HP also make multiple appearances on the list.
| Still, it does make me wonder. How long exactly can some of those ancient
| security holes go unfixed before someone else discovers them? Say someone who
| will immediately put his discovery to use by quietly infecting a few million
| Windows PCs?


Other flaws they just sweep under the rug too. Not anymore:

Hacker marketplace to help build 0day appliance

,----[ Quote ]
| WabiSabiLabi, the company best known for building an online marketplace for
| security flaws, is getting into the hardware business.



What spooks Microsoft's chief security advisor

,----[ Quote ]
| Speaking at the Boston SecureWorld conference Wednesday, the 19-year
| Microsoft veteran whose job includes protecting enterprises, developers and
| Microsoft itself said there actually is plenty of good news on the security
| front. For example, his outfit scans a half million devices (with customer
| permission) per month and in the first half of last year saw the first
| period-over-period decline in new vulnerabilities disclosed across Microsoft
| and non-Microsoft software since 2003. * * *
| However, 3,400 new vulnerabilities were discovered and “it’s still a big
| number,” Arsenault says. “So if vulnerability rates are down, where are
| they?” *


With Vista breached, Linux unbeaten in hacking contest

,----[ Quote ]
| The MacBook Air went first; a tiny Fujitsu laptop running Vista was hacked on
| the last day of the contest; but it was Linux, running on a Sony Vaio, that
| remained undefeated as conference organizers ended a three-way computer
| hacking challenge Friday at the CanSecWest conference. *


Bots rule in cyberspace

,----[ Quote ]
| USA TODAY REPORTS that on an average day, 40 per cent of the 800 million
| computers connected to the Internet are bots used to send out spam, viruses
| and to mine for sensitive personal data.


Vista SP1 will contain undocumented fixes

,----[ Quote ]
| Interesting email in today mailbag: *“Will SP1 contain undisclosed or
| undocumented security fixes?”
| For some people, counting the number of security flaws that one OS has
| compared to another is important because it offers a metric upon which to *
| determine which OS is the most secure (personally, I feel that it’s a bogus
| metric, but I’ll let it slide for now). *However, many claim that Microsoft
| stacks the deck in its favor by not disclosing a full list of vulnerabilities
| that have been patched by omitting to include those discovered and patched
| in-house. * * *



Critical Vulnerability in Microsoft Metrics

,----[ Quote ]
| This is a small subset of all the vulnerabilities, because the
| vulnerabilities that are found through the QA process and the vulnerabilities
| that are found by the security folks they engage as contractors to perform
| penetration testing are fixed in service packs and major updates. For
| Microsoft this makes sense because these fixes get the benefit of a full test
| pass which is much more robust for a service pack or major release than it is
| for a security update. * * *


Skeletons in Microsoft’s Patch Day closet

,----[ Quote ]
| This is the first time I’ve seen Microsoft prominently admit to silently
| fixing vulnerabilities in its bulletins — a controversial practice that
| effectively reduces the number of publicly documented bug fixes (for those
| keeping count) and affects patch management/deployment decisions. *


Beware of undisclosed Microsoft patches

,----[ Quote ]
| Forget for a moment whether Microsoft is throwing off patch counts
| that Microsoft brass use to compare its security record with those
| of its competitors. What do you think of Redmond’s silent patching
| practice?


Microsoft is Counting Bugs Again

,----[ Quote ]
| Sorry, but Microsoft's self-evaluating security counting isn't really a
| good accounting.
| [...]
| The point: Don't count on security flaw counting. The real flaw is
| the counting.

Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIIWdBU4xAY3RXLo4RApXyAJ0fqRxacfdAfQy44gS7Dg 7+J0rUpgCfU5ad